Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bug Bounties Aren't Silver Bullet for Better Security (infosecurity-magazine.com)

Posted by msmash on from the closer-look dept.

Many organizations may find they're better off hiring pen testers and in-house security researchers directly than running bug bounty programs, according to new MIT research. From a report: The New Solutions for Cybersecurity paper features a surprising analysis of bug bounty programs in the chapter, Fixing a Hole: The Labor Market for Bugs. It studied 61 HackerOne bounty programs over 23 months -- including those run for Twitter, Coinbase, Square and other big names -- and one Facebook program over 45 months. It claimed that, contrary to industry hype, organizations running these programs don't benefit from a large pool of white hats probing their products. Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards. It's also claimed that even these elite "top 1%" ethical hackers can't make a decent wage by Western standards.

7 of 95 comments (clear)

  1. Sure not by Chatterton · · Score: 1, Insightful

    But their are a bullet in the arsenal against bugs...

  2. Uh okay? by bhcompy · · Score: 4, Insightful

    It's also claimed that even these elite "top 1%" ethical hackers can't make a decent wage by Western

    Who said it's supposed to be a full time job? Bounties aren't jobs. They're rewards for ethical disclosure

    1. Re:Uh okay? by Anonymous Coward · · Score: 2, Insightful

      That's not realistic. You don't stumble upon security bugs. Finding these bugs requires targeted effort. Somebody has to pay for that effort. The black hats are motivated: they can profit by exploiting the bugs. Why would a white hat put in the effort if they don't get paid adequately?

  3. Re:How to fix bugs by mwvdlee · · Score: 2, Insightful

    Kinda like how hospitals should only hire good doctors so nobody will ever die again.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  4. Re:It takes more than one bullet by gweihir · · Score: 3, Insightful

    Indeed. Security is _hard_ and expensive. A level of security where most or all relevant attackers will just go elsewhere can be reached but it takes real effort. And it takes experience, KISS and using pen-tests, potentially bug-bounties (that are higher than what scum like the NSA feeding bug-traders offer), secure architecture and design, having security-aware coders, external security-reviews of architecture, design and implementation, etc.

    Expect secure coding to be at the very least to be about 2x as the slap-dash insecure messes usually rolled out these days.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  5. Re: How to fix bugs by jd · · Score: 3, Insightful

    Coders are useless without good specifications, good practices and good languages. Test driven design beats most other forms.

    Not many workplaces know how to do that, let alone budget the time to.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  6. There are no silver bullets for anything. by 140Mandak262Jamuna · · Score: 3, Insightful
    There are no silver bullets for anything.

    Saying X is not a silver bullet for Y is a misleading rhetorical tactic. If X is better than !X for Y, then X is one of the solutions. That it is not a complete solution is irrelevant. If there is a Z that is better than X, then that is a valid argument.

    X will not solve Y is typically used by vested interests against X not people who are genuinely interested in solving Y.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact